https://community.splunk.com/t5/Reporting/How-to-report-status-change-over-time/m-p/453249#M7320 <P>Like this:</P> <PRE><CODE>| makeresults | eval raw="server_name=ABC1,category_level=High server_name=ABC2,category_level=Med server_name=ABC3,category_level=Med server_name=ABC4,category_level=Low server_name=ABC5,category_level=Med server_name=ABC6,category_level=High server_name=ABC7,category_level=Med server_name=ABC8,category_level=High server_name=ABC9,category_level=Low server_name=ABC10,category_level=Low:::server_name=ABC1,category_level=High server_name=ABC2,category_level=High server_name=ABC3,category_level=High server_name=ABC4,category_level=Med server_name=ABC5,category_level=Med server_name=ABC6,category_level=High server_name=ABC7,category_level=Med server_name=ABC8,category_level=Low server_name=ABC9,category_level=Low server_name=ABC10,category_level=Low" | makemv delim=":::" raw | mvexpand raw | streamstats count AS _shift | eval _shift = "-" . (_shift - 1) . "mon" | eval _time = relative_time(_time, _shift) | makemv raw | mvexpand raw | rename raw AS _raw | kv | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | bin _time span=1m | dedup _time category_level server_name | reverse | stats list(category_level) AS transition BY server_name | eval transition=mvjoin(mvdedup(transition), "-&gt;") | append [|makeresults | eval transition="Low Med High Low-&gt;Med Low-&gt;High Med-&gt;Low Med-&gt;High High-&gt;Med High-&gt;Low" | makemv transition] | stats dc(server_name) AS count BY transition </CODE></PRE> Mon, 01 Jul 2019 21:01:48 GMT woodcock 2019-07-01T21:01:48Z https://community.splunk.com/t5/Reporting/How-to-report-status-change-over-time/m-p/453247#M7318 <P>I am looking at reporting on the changes in status over time. So if I have a list of servers, and they have 3 possible statuses. (High/Med/Low) and they change day to day. I want to know how many have changed from 1 category to the next. The data is indexed and can use the time picker.</P> <P>So I would need <BR /> <STRONG>Low=&gt; Med, Low=&gt; High, <BR /> Med=&gt; Low, Med=&gt; High, <BR /> High=&gt; Med, High=&gt; Low<BR /> Or 6 types of movements<BR /> By Month</STRONG></P> <P>Field Names would be server_name, category_level</P> <P>So, for example, let's say I had 10 servers for the month of May and their status below.</P> <P><STRONG>ABC1 - High<BR /> ABC2 - High<BR /> ABC3 - High<BR /> ABC4 - Med<BR /> ABC5 - Med<BR /> ABC6 - High<BR /> ABC7 - Med<BR /> ABC8 - Low<BR /> ABC9 - Low<BR /> ABC10 - Low</STRONG></P> <P>Then they change sometime in the middle of June to the below.</P> <P><STRONG>ABC1 - High<BR /> ABC2 - Med<BR /> ABC3 - Med<BR /> ABC4 - Low<BR /> ABC5 - Med<BR /> ABC6 - High<BR /> ABC7 - Med<BR /> ABC8 - High<BR /> ABC9 - Low<BR /> ABC10 - Low</STRONG></P> <P>I would want the totals to be. <BR /> <STRONG>2 servers moved from High=&gt;Med<BR /> 1 server moved from Med=&gt;Low<BR /> 1 server moved from Low=&gt; High</STRONG></P> <P>so the categories would be below for the month of June so if the status change at all during that month, count that change during that month.</P> <P><STRONG>Low=&gt; Med - 0<BR /> Low=&gt; High - 1<BR /> Med=&gt; Low - 1<BR /> Med=&gt; High - 0 <BR /> High=&gt; Med - 2<BR /> High=&gt; Low - 0</STRONG></P> Wed, 30 Sep 2020 01:08:39 GMT https://community.splunk.com/t5/Reporting/How-to-report-status-change-over-time/m-p/453247#M7318 Benzula 2020-09-30T01:08:39Z https://community.splunk.com/t5/Reporting/How-to-report-status-change-over-time/m-p/453248#M7319 <P>How exactly are you calculating this right now and especially, how are you indexing this?</P> <P>Summary indexing seems to be a good solution for this.</P> <P>First option: Run a daily search that populates a summary index with the host and category_level.</P> <P>The second option would be to use a lookup. </P> <P>However, you would not be able to look back in time. This would require a search populating a lookup once a month and then a search comparing that lookup from the previous month to your actual results.</P> <P>A third approach would be, create an index where you write a risk score (numerical) into the index for every host. These risk scores translate to your cagegory_level (calculated field for example, if(score&gt;10 AND &lt;20, "low") ) and you simply sum up the risk scores of the previous 30 days, for a monthly report. A simple lookup defined whether a host is high, medium or low. </P> <P>The third option has a benefit. You can simply look further into the past and see if a risk score of a host was higher two months ago compared to a month ago. </P> <P>Skalli</P> Mon, 01 Jul 2019 20:24:21 GMT https://community.splunk.com/t5/Reporting/How-to-report-status-change-over-time/m-p/453248#M7319 skalliger 2019-07-01T20:24:21Z https://community.splunk.com/t5/Reporting/How-to-report-status-change-over-time/m-p/453249#M7320 <P>Like this:</P> <PRE><CODE>| makeresults | eval raw="server_name=ABC1,category_level=High server_name=ABC2,category_level=Med server_name=ABC3,category_level=Med server_name=ABC4,category_level=Low server_name=ABC5,category_level=Med server_name=ABC6,category_level=High server_name=ABC7,category_level=Med server_name=ABC8,category_level=High server_name=ABC9,category_level=Low server_name=ABC10,category_level=Low:::server_name=ABC1,category_level=High server_name=ABC2,category_level=High server_name=ABC3,category_level=High server_name=ABC4,category_level=Med server_name=ABC5,category_level=Med server_name=ABC6,category_level=High server_name=ABC7,category_level=Med server_name=ABC8,category_level=Low server_name=ABC9,category_level=Low server_name=ABC10,category_level=Low" | makemv delim=":::" raw | mvexpand raw | streamstats count AS _shift | eval _shift = "-" . (_shift - 1) . "mon" | eval _time = relative_time(_time, _shift) | makemv raw | mvexpand raw | rename raw AS _raw | kv | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | bin _time span=1m | dedup _time category_level server_name | reverse | stats list(category_level) AS transition BY server_name | eval transition=mvjoin(mvdedup(transition), "-&gt;") | append [|makeresults | eval transition="Low Med High Low-&gt;Med Low-&gt;High Med-&gt;Low Med-&gt;High High-&gt;Med High-&gt;Low" | makemv transition] | stats dc(server_name) AS count BY transition </CODE></PRE> Mon, 01 Jul 2019 21:01:48 GMT https://community.splunk.com/t5/Reporting/How-to-report-status-change-over-time/m-p/453249#M7320 woodcock 2019-07-01T21:01:48Z